Help me solve this one please. I have users with 2 level/role (admin & member). User with admin role are able to access the whole data and CRUD. but the member, can only read, update and delete the posts that they created before. the question is, how to make an authorization in loadModel function so the member can only access (read, update and delete) their own posts but the admin still able to access all data?
Write a masterclass for ar in wich you make the check on afterfind:
if (module='admin' && user != administrator && record != mine)
throw new Exception (you are not authorized);
This give you 100% safety, too bad that the list are not working now.
So add a filter in each list for filter only the records the user is authorized to, and the trick is done.
Never limit the securty only on the list filtering, the user can always write in the url the id of a record he is not supposed to edit, and if you don’t have the check in afterfind you will have a securty issue.